141
linuxxx
5y

Recently had an interview with a company. At some point an SELinux question came up and while I didn't provide the best answer ever (I'm hardly familiar with SELinux and mentioned that as well beforehand so they knew), it was technically correct and the reaction of the interviewers was funny.

TI (technical interviewer): say your php script isn't executed and after a while you find out that SELinux is blocking php script execution, how can you fix that?
Me: setenforce 0...? (essentially disabling SELinux at all)
TI: disabling it entirely for getting php execution to work?! That doesn't sound like a good solu...
HRI (HR (non technical) interviewer, also present): *turns to TI* - but, would it solve the problem?
TI: 😐 well, yes, but... That's a bad thing to do so I wouldn't count is corre..
HRI: *still aiming towards TI* but you simply asked him for a way to solve the php execution issue, would his answer work? Regardless of whether it's the best or worst solution, would it be a solution which works?
TI: well... yes...
HRI: then he answered correctly I'd say, next!

(yes, I'm aware that my answer wasn't good as for security at all but it would have solved that problem which is what was asked)

Comments
  • 58
    That recruiter is boss hahaha
  • 13
    I like that guy!

    Mind you I know enough about selinux to know setenforce 0 is handy when you think selinux is the culprit, but you turn it back on 😏
  • 9
    Not sure if this is the actual transcript or it's loosely paraphrased. Either way it would be better to say: "one way to do it is {....} but that brings security issues, I probably would perform a quick search the first time so I would know what to do in the future"

    That shows you know a solution, that you care about security and can work without people having to hold your hand.
  • 5
    Bless that HRI
  • 2
    Wait, if you had gotten the question wrong, would the interview have ended there?
  • 5
    Not sure I agree with the comments here.
    If the TI knows his shit, the HRI has no business sticking his nose in the TI's realm.
    If I were the hiring manager, I'd seat those two in separate rooms.
  • 3
    @k0pernikus Nahh, it'd go on :)
  • 6
    Your answer was pretty much like:

    chmod -R 777 /
  • 1
    so what should be the "good" solution?
  • 3
    @ctrl-alt-del Disabling the specific SELinux module which is blocking the execution.
  • 5
    What was happening in IT's head:
  • 1
    I disable SELinux as a matter of principle. It causes far more problems than it solves, and is less useful in container workloads anyway.
  • 1
  • 0
    @theKarlisK you mean:
    Disable se linux, disable firewall, set web server to run as root, chown everything in web root to root:root. Hacked.
  • 0
    that HR guy sounds like a trolling programmer. i like him.
  • 0
    @madumlao that article is actually lit
  • 0
    @ctrl-alt-del : The Best Solution is to go about creating SeLinux Policy which would allow the traffic to take place.

    Somewhat like:
    https://serverlab.ca/tutorials/...
  • 0
    No matter what a better answer would be, I find that really refreshing.

    Thanks, mate, that really made my day! 😊
Add Comment